IPFS is being used as a new platform for phishing, hosting content across a decentralized network and complicating takedowns. The article surveys IPFS phishing URLs, highlighting the services attackers abuse (Infura IPFS, Filebase/IPFS, NFT Storage, Surge.sh) and typical attack patterns such as URL redirection, obfuscated code, and credential theft forms.
#IPFS #ChameleonPhishingPage #InfuraIPFS #FilebaseIPFS #NFTStorage #SurgeSh #O365SpamTools
#IPFS #ChameleonPhishingPage #InfuraIPFS #FilebaseIPFS #NFTStorage #SurgeSh #O365SpamTools
Keypoints
- Phishing campaigns are increasingly leveraging IPFS-hosted content to deliver malicious URLs.
- Over 3,000 emails with IPFS phishing URLs were observed in the last 90 days, signaling growing use of IPFS in phishing.
- attackers abuse multiple IPFS services (Infura IPFS, Filebase/IPFS, NFT.Storage, Fleek/IPFS, Fleek IPFS, etc.) to host malicious content and evade takedowns.
- Phishing pages use redirection chains (including Googleweblight) and obfuscated code to hide malicious content and hinder analysis.
- The phishing pages include credential collection via forms, with stolen data posted upon form submission.
- A fake billing notification email and a Microsoft login flow illustrate social engineering techniques paired with credential harvesting.
- Coordination among spammers is evidenced by a Telegram group (O365 Spam Tools) and shared phishing templates hosted on third-party services.
MITRE Techniques
- [T1566.002] Spearphishing Link β Phishing emails contain IPFS URLs as payloads to lure victims. βphishing emails containing IPFS URLs as their payload.β
- [T1059.007] JavaScript β The phishing HTML attachment contains a JavaScript code which launches the phishing page. βThe malicious HTML attachment contains a JavaScript code which launches the phishing page. The setTimeout() function was used to open the phishing URL with 0 delay in a new browser tab.β
- [T1027] Obfuscated/Compressed Files and Information β The initial URLβs source-code usually contains some obfuscated code. βThe initial URLβs source-code usually contains some obfuscated codeβ
- [T1056.001] Input Capture β The phishing page source-code contains the details that will be stolen to the victim. βThe phishing page source-code contains the details that will be stolen to the victim.β
- [T1567.002] Exfiltration Over Web Service β Stolen credentials are posted after the form submission. βstolen credentials are posted once the submit button event is triggered.β
Indicators of Compromise
- [URL] IPFS phishing links β https://ipfs[.]fleek[.]co/ipfs/bafybeiddmwwk3rvvu5zlweszoyvo54v3corf2eu4fmhxwprhxitj2jdrmi, https://ipfs[.]fleek[.]co/ipfs/bafybeic63bwxphx3sasgvpb2fvy766aiymvy2pzoz3htx7zomysw67jucu, and 2 more URLs
- [URL] Phishing host pages β https://jobswiper[.]net/web_data_donot_delete/store/w3lllink[.]php, https://jobswiper[.]net/web_data_donot_delete/
- [URL] Abuse hosting domains β o365spammerstestlink[.]surge[.]sh
- [URL] Additional IPFS-hosted phishing references β https://nftstorage[.]link/ipfs/β¦ and https://o365spammerstestlink.surge.sh/
Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/